Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Informations | |||
|---|---|---|---|
| Name | CVE-2012-6497 | First vendor Publication | 2013-01-03 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18552 | |||
| Oval ID: | oval:org.mitre.oval:def:18552 | ||
| Title: | DSA-2597-1 rails - input validation error | ||
| Description: | joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to <q>find_by_*</q> methods. Depending on how the ruby on rails application is using these methods, this allows an attacker to perform SQL injection attacks, e.g., to bypass authentication if Authlogic is used and the session secret token is known. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2597-1 CVE-2012-6496 CVE-2012-6497 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | rails |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-01-07 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2597.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 22:58:39 |
|
| 2024-11-28 12:32:46 |
|
| 2024-08-02 12:22:04 |
|
| 2024-08-02 01:06:26 |
|
| 2024-02-02 01:21:24 |
|
| 2024-02-01 12:06:16 |
|
| 2023-09-05 12:20:14 |
|
| 2023-09-05 01:06:10 |
|
| 2023-09-02 12:20:15 |
|
| 2023-09-02 01:06:15 |
|
| 2023-08-12 12:24:15 |
|
| 2023-08-12 01:06:17 |
|
| 2023-08-11 12:20:23 |
|
| 2023-08-11 01:06:27 |
|
| 2023-08-06 12:19:37 |
|
| 2023-08-06 01:06:17 |
|
| 2023-08-04 12:19:41 |
|
| 2023-08-04 01:06:20 |
|
| 2023-07-14 12:19:39 |
|
| 2023-07-14 01:06:14 |
|
| 2023-05-19 21:27:47 |
|
| 2023-03-29 01:21:38 |
|
| 2023-03-28 12:06:22 |
|
| 2022-10-29 01:15:21 |
|
| 2022-10-11 12:17:34 |
|
| 2022-10-11 01:05:57 |
|
| 2021-05-05 01:11:44 |
|
| 2021-05-04 12:22:47 |
|
| 2021-04-22 01:27:09 |
|
| 2020-05-23 01:50:29 |
|
| 2020-05-23 00:35:29 |
|
| 2019-08-09 12:11:09 |
|
| 2019-08-09 12:05:11 |
|
| 2019-08-08 21:19:40 |
|
| 2016-12-08 09:23:26 |
|
| 2016-09-10 01:00:53 |
|
| 2016-04-26 22:35:54 |
|
| 2014-02-17 11:15:00 |
|
| 2013-05-10 22:51:23 |
|
| 2013-01-04 17:18:57 |
|
| 2013-01-04 13:20:09 |
|
